TITAN: Combining a bidirectional forwarding graph and GCN to detect saturation attack targeted at SDN

The decoupling of control and forwarding layers brings Software-Defined Networking (SDN) the network programmability and global control capability, but it also poses SDN security risks. The adversaries can use the forwarding and control decoupling character of SDN to forge legitimate traffic, launching saturation attacks targeted at SDN switches. These attacks can cause the overflow of switch flow tables, thus making the switch cannot forward benign network traffic. How to effectively detect saturation attack is a research hotspot. There are only a few graph-based saturation attack detection methods. Meanwhile, the current graph generation methods may take useless or misleading information to the attack detection, thus decreasing the attack detection accuracy. To solve the above problems, this paper proposes TITAN, a bidirecTional forwardIng graph-based saturaTion Attack detectioN method. TITAN defines flow forwarding rules and topology information, and designs flow statistical features. Based on these definitions, TITAN generates nodes of the bi-forwarding graph based on the flow statistics features and edges of the bi-forwarding graph based on the network traffic routing paths. In this way, each traffic flow in the network is transformed into a bi-directional forwarding graph. Then TITAN feeds the above bidirectional forwarding graph into a Graph Convolutional Network (GCN) to detect whether the flow is a saturation attack flow. The experimental results show that TITAN can effectively detect saturation attacks in SDNs with a detection accuracy of more than 97%.


Introduction
Software-Defined Networking (SDN) is an emerging network architecture that brings great changes and enhancements to traditional networks.SDN is consisted of the application layer, northbound interface, control layer, southbound interface, and forwarding layer.The application layer consists of various network services and applications.The control layer is responsible for controlling network traffic while the forwarding layer only needs to forward network traffic under the instructions made by the control layer.At the same time, applications in the application layer can utilize various network services provided by the control layer through the northbound interface.Multiple controllers can work together through the east-west interface.SDN has network programmability and good scalability in both vertical and horizontal directions.Therefore, SDN is widely used in cloud data center networks [1], Internet of Things (IoT) [2], and blockchain [3].
The separation of forwarding and control function enables SDN to be widely used in some areas, but it also poses security risks to SDN.Specially, adversaries can exploit the unique forwarding and control separation mechanism to launch saturation attacks.Due to the high cost and power consumption of Ternary content-addressable memory (TCAM), SDN switches can only install a limited number of flow entries [4].The adversaries can utilize the limited TCAM of SDN switches to launch saturation attacks targeted at overwhelming the SDN switches [5].More specifically, they can send elaborated attack packets to the target switch, causing the switch to install many flow entries.Eventually, the above flow entries exhaust the TCAM memory and cause the SDN switch fail to install new forwarding rules, thus disrupting the transmission of benign traffic.For instance, Zhang et al. [6] proposed an enhanced saturation attack Table-miss Striking Attack, in which the adversary first uses various low-rate probe packets to probe the detailed information of flow entries, especially for the match field and survival time.Based on these information, it forges some attack packets to inveigle the switch send packet-in messages to the controller.Then the controller will send a lot of flow-mod messages to install flow entries in the switch.At last, the switch will be occupied by the malicious flow entries.
How to detect saturation attacks is a serious challenge in SDN.Some researchers use machine learning-based approaches to detect network attack [7].Due to its high detection accuracy, a few studies have applied Graph Neural Networks (GNN) to DDoS attack detection in SDNs.For instance, by mapping the SDN network as a graph, the method proposed in [8] first identifies the switches under DDoS attack, and then precisely locates the entrance switch of attack flow.The literature [9] also maps SDN smart grid as graphs, but it firstly detects whether the network is anomalous and then identifies the phasor measurement unit that suffer DDoS attacks.Meanwhile, some researchers have applied Graph Attention Networks (GAT) to anomaly detection in sensor networks to identify anomalous sensor nodes [10].The detection objects in the literature [9,10] are network nodes and it do not discriminate the traffic.The literature [11] transforms the session instances into K-Nearest Neighbors (KNN) graphs and uses the GCN model to detect each KNN graph.The KNN graph in [11] is generated by calculating the Euclidean distance between features of different instances.Then the k nearest nodes is selected to add edges for the central node.When using KNN graph to detect SDN saturation attack, it needs to convert each network flow into a KNN graph.GCN-TC [12] uses traffic trace graph to represent traffic flows.In traffic trace graph, nodes are traffic flows, and edges denote that nodes have common IP hosts.When using GCN-TC to detect SDN saturation attack, edges will be added among nodes that have common IP hosts, regardless of the type of nodes.Hence, it may make the GNN model aggregate attack node information using incorrect neighbor nodes, causing the decrease of detection performance.
In conclusion, although GNN can achieve high detection accuracy, there are very few graph-based saturation attack detection methods in SDN.Meanwhile, the existing graphbased saturation attack detection methods are facing with the following issues.
• Issue 1: the edges generated by existing graph generation methods maybe incorrectly connected.When using KNN graph, the features are normalized as nodes, and it adds edges based on the Euclidean distances among different nodes.Such an edge does not carry useful information and only indicates that a few types of features are similar in value.In addition, the traffic trace graph adds edges depending on whether the nodes have a common IP host.
Hence, traffic trace graph may generate edges connected the normal flow nodes and attack flow nodes.These edges may take incorrect information to GNN model.
• Issue 2: incorrectly connected edges may have negative effect on aggregating nodes information of GNN.It is known that the statistical characteristics of normal flow nodes and attack flow nodes are quite different.When GNN model aggregates the nodes information using traffic trace graph, the incorrectly connected edges among normal and attack nodes will make GNN aggregate the attack nodes information based on the normal nodes information.Hence, GNN will weaken the difference between these two kinds of nodes instead of enhancing it.In conclusion, the incorrectly connected edges will decrease the detection accuracy.
To solve the above problem, this work focuses on how to detect saturation attack flows against OpenFlow switches.Hence, we propose TITAN, a bidirecTional forwardIng Graph and GCN-based saTuration Attack detectioN method.TITAN designs a bidirectional forwarding graph generation algorithm, by defining the notion of topology information and flow forwarding rules and designing flow statistical features.The bidirectional forwarding graph generation algorithm transforms each flow in the SDN network into a bidirectional forwarding graph.Meanwhile, a GCN model including three graph convolutional layers, one fully connected layer, and one classification module is designed to identify whether the bidirectional forwarding graph belongs to saturation attack.
Main contributions of this work are listed as follows.
• This work proposes TITAN, a bidirectional forwarding graph and GCN-based saturation attack detection method.TITAN designs a bidirectional forwarding graph generation algorithm to convert each flow into a bidirectional forwarding graph, and then it uses GCN to implement the detection of saturation attack flows in SDNs.
• As far as we know, TITAN is the first work that converts all information about a network flow into a single graph to detect saturation attack flow.When generating the bidirectional forwarding graph, TITAN constructs node information based on the topology and flow statistics features.Meanwhile, the edge information is generated based on the topology information and flow forwarding rules.
• TITAN designs a GCN model consisted of three graph convolutional layers, one fully connected layer, and one classification module to detect the bidirectional forwarding graph.
• The evaluation results show that TITAN can effectively detect saturation attack flows in SDNs.
The remainder of this paper is organized as follows.Section 2 investigates the state-of-theart works on saturation attack detection and graph-based attack detection.The background is introduced in Section 3. Section 4 presents the detailed architecture of TITAN.The evaluation is shown in Section 5. Section 6 summarizes the conclusions of this work.

Related works
Section 2 gives the description of related works.It first summarises the graph-based attack detection methods in subsection 2.1, and then describes the current SDN saturation attack detection methods in subsection 2.2.Meanwhile, at the end of subsection 2.2, we analyze the differences among the proposed method and other graph-based network attack methods.

Graph-based attack detection method
Cao et al. used in-band network telemetry to obtain the device state of the SDN data layer and map the data layer into a graph [8].To identify whether a switch is passed by DDoS flows, this method employs a ST-GCN (Spatio-Temporal Convolutional Graph Convolutional Network) to detect DDoS attack.Finally, a defense strategy is proposed based on the attack detection result.The author in [9] proposed a DDoS detection method in SDN smart grid environment called GLASS.GLASS maps the SDN smart grid into an undirected graph by calculating the transmission delay between adjacent phasor measurement units (PMU), the average transmission delay of a central PMU and its all neighboring PMUs as the edge weights and the weight of the central PMU node, respectively.GLASS is divided into two phases, first determining whether the SDN smart grid is under DDoS attack using a GCN and then using a spectral clustering algorithm to determine the PMU under attack.Some researchers have used the graph attention mechanism for anomaly detection in sensor networks [10].This method uses nodes to represent sensors, calculates the cosine similarity between nodes using their feature vectors and adds edges using the TOPK algorithm to generate the graph.Subsequently, the anomalous sensor nodes in the graph are identified with GAT.Liu et al. [11] proposed a graph generation approach to create knn graphs for each flow instance.This approach uses nodes to represent features, calculates the Euclidean distance between features, and adds undirected edges between nodes based on the k-nearest neighbor algorithm.Finally the attack detection is done using GCN for graph classification.GCN-TC, proposed in [12], uses traffic trace graph to classify network flows.In traffic trace graph, nodes represent traffic flow, edges denote that nodes have common IP hosts.After generating the traffic trace graph, GCN-TC uses GCN model to classify a traffic trace graph belongs to different kinds.
These works [8,9] are multi-stage detection methods with coarse grained followed by fine grained.The multi-stage detection method has a problem of long detection time.In particular, the GLASS can only identify the attacked switch.Additionally, implementing mitigation strategies based on the attacked switches may have an impact on normal traffic.The work in [10] suffers the same issue as the GLASS.The approach in [11] takes a more fine-grained approach and creates graphs for each session.The traffic trace graph in [12] has the problem that it may connect normal and attack nodes, resulting in low detection accuracy.However, graph data occupies more memory than text, which may slow down model training and detection.In conclusion, GNN-based methods can be effectively used in attack detection.However, many current approaches have limitations, like some studies have been confined to the graph node classification problem for the application of GNN.
Main differences between TITAN and the existing graph-based network attack detection methods are shown in Table 1.The main limitation of the existing graph-based network attack detection methods is that the graphs generated by these works may lead to incorrect connections between different nodes, which makes GNN model aggregate node information based on incorrect neighbor nodes.Therefore, the detection accuracy of these methods maybe decreased.To overcome the above issue, this work proposes TITAN.TITAN designs a graph information preprocessing method, a bidirectional forwarding graph construction method and a Bifor-Graph-based saturation attack detection method to detect saturation attacks in SDN.

Other saturation attack detection method
Li et al. [13] proposed a saturation attack detection method named SA-Detector.It uses the self-similarity of OpenFlow traffic in SDN southbound interfaces to detect saturation attacks.Khamaiseh et al. [14] found that the existing saturation attack detection methods usually acquire network information periodically and only detect saturation attacks caused by TCP-SYN.Hence, these methods cannot detect unknown types of saturation attacks, and they cannot detect saturation attack in time.Therefore, they investigates the variation of OpenFlow traffic triggered by multiple saturation attacks and identify saturation attacks using SVM, NB, and KNN algorithm.Huang et al. [15] analyzed the saturation attack characteristics.When an attack occurs, they found the Packet-In messages rise dramatically and the occupancy of the link bandwidth between each switch and the controller becomes unstable.Thus, the number of Packet-In messages and the entropy value of the control channel occupancy are utilized to detect the attack.The vSwitchGuard [16] is proposed to defend OpenFlow switches against saturation attacks.The authors found that when a saturation attack against switch exist in SDN, a large number of packets cannot be matched with flow entries, causing a large number of Table-miss packets and Packet-In messages.Hence, the saturation attack can be located by calculating the entropy value of the source IP address of Table-miss packets and the proportion of Table-miss packets among all received packets.In summary, current saturation attack detection techniques heavily rely on the variation of the interaction information between the control and forwarding layer.However, the above methods are lacking the analysis of the variation of flow entries triggered by saturation attacks.Therefore, the above methods can only determine whether the network is under attack or locate the attack target.They cannot identify the saturation attack flow, thus cannot provide enough information for the saturation attack mitigation.

Background
In this section, we provide the background of this work.Firstly, we introduce the principle of saturation attack against SDN switch in subsection 3.1.Subsequently, subsection 3.2 briefly presents the graph convolutional network.

Saturation attacks targeted at the SDN switch
SDN consists of an application layer, a control layer, and a forwarding layer.SDN switches forward packets based on flow entries.If the switch does not have a flow entry that matches the packet, the SDN switch encapsulates the packet in a Packet-In message and sends it to the controller, and the controller calculates the route based on the packet's address information.The controller then encapsulates the routing information in a Packet-Out message back to the SDN switch, which installs the flow entry based on the Packet-Out message [17].This particular control forwarding mechanism raises security threats to the SDN.Saturation attacks exploit this forwarding mechanism to launch attacks on the SDN forwarding layer and disrupt normal network communication.The attacker can attack a legitimate switch through a malicious host, SDN switch TCAM has limited memory and can install limited flow entries.The attacker prompts the switch to install illegal flow entries by sending a large number of invalid packets.
When the illegal flow entries occupied the flow table storage of the switch, the forwarding rules matching normal packets cannot be installed, which resulted in the disruption of normal flow in the network.It should be noted that, in this work, we do not consider the saturation attack targeted at the SDN controller [18].It mainly focuses on detection of saturation attack targeted at the SDN switches.
In conclusion, the purpose of the saturation attack targeted at the SDN switch is to overwhelm the flow entry storage capacity of the target switch.Fig 1 illustrates the workflow of a saturation attack against the SDN switch, which contains twelve steps listed as follows.
• Step 1 and 2: Controlling zombies.The adversary controls a set of zombies using Control and Command(C&C) messages.Then, the adversary commands these zombies to send saturation attack packets to the targeted switch.
• Step 3: Parsing packets.The targeted switch parses these saturation attack packets, and then it tries to find flow entries that match these packets.
• Step 4: Sending Packet-In messages.The saturation attack packet can not match all flow entries of the target switch.The target switch encapsulates these un-matched packets in the Packet-In messages and sends them to the SDN controller.
• Step 5, 6, 7, and 8: Processing Packet-In messages.The SDN controller parses Packet-In messages generated by un-matched packets and delivers these packets to the related application server.Then, the application server makes the processing decision based on the un-matched packets and returns them to the SDN controller.
• Step 9, 10: Implementing processing decisions.According to the above decisions, the SDN controller encapsulates Packet-Out messages and sends them to the switch to install flow entries.• Step 12: Keeping flow entries alive.The adversary makes the zombies continuously send packets that match the newly installed flow entries to keep these flow entries alive on the switch for a long time.
Using the above steps, the adversary can achieve the purpose of overwhelming the flow entry storage capacity of the target switch.

Graph Convolutional Network
Graph neural network (GNN) extends traditional neural networks and enables it to process data represented by graphs [19].GNN are commonly used for classification and regression tasks.In classification tasks, GNN usually abstract the instances as graphs and extract the features of their nodes or edges as the input of GNN.The final output is the classification result of the node, edge, or graph.
Graph Convolutional Network (GCN) is a generalization of Convolutional Neural Network (CNN) in the graph domain.GCN is a convolutional neural network that can work directly on a graph and exploit its spatial structure information.The GCN aggregates the feature information of each node itself and all its neighbor nodes.Also, the degree of each node in the graph is considered in the aggregation operation to reduce the impact caused by the degree imbalance of different nodes.The final weighted average of the features including the node itself and all its adjacent nodes is obtained, and the relatively optimal graph embedding representation is procured.

TITAN: A bidirectional forwarding graph and GCN-based saturation attack detection method
This section gives the detailed description of TITAN.We firstly present the overview of TITAN in subsection 4.1.Then, in subsections 4.2, 4.3, and 4.4, we present the graph information preprocessing method, bidirectional forwarding graph construction method and the Bifor-Graph-based saturation attack detection method, respectively.

Graph information preprocessing
TITAN utilizes graphs to represent network flows based on the information of network flows and network topology.The SDN controller has a global view over the entire network [28].Therefore, as shown in Fig Here, ℓ i is the link between a host and a switch or the link between two switches.φ p and φ q are IP addresses of hosts or IDs of switches.
φ s is the source IP address.φ d is the destination host IP address.φ j d is the switch and ψ out is the outgoing port.γ j is the forwarding rule.γ j means that in switch φ j d , the packets with source IP φ s and destination IP φ d should be forwarded via port ψ out .Each traffic flow has one or more forwarding rules, therefore χ i = {φ s , φ d , γ 1 , . .., γ n } means that the flow from φ s to φ d is forwarded by n switches.
Based on our previous research [18,29,30], TITAN extracts five flow-based statistical features to detect saturation attack flow.Usually, the saturation attack against an SDN switch tries to deplete the flow entry storage of the switch.Hence, it can prevent the switch from installing new flow entries and translating new packets.Unlike traditional momentary and burst DDoS attacks, the attacker needs to send attack flows to the target switch periodically to add new flow entries and lengthen the survival time of these flow entries.This means that the saturation attack flow against the switch has two main properties, the periodicity and the longer survival time of the flow entries.More specially, the saturation attack tries to make the abnormal flow entries always exist in the switch, while the normal flow table entries are usually deleted due to the timeout.So the survival time of the saturation attack flow is longer than that of the normal flow entries.With the above analysis, TITAN extracts 5-dimensional statistic features f = {α, V α , β, V β , τ} as the main statistical features to generate the bidirectional forwarding graph.
• α.The total packet number of a traffic flow.In SDN, a new arrival packet will make the controller install a new flow entry on the switch.And the goal of saturation attack is to occupy the flow table space.Besides, the attacker often send less malicious packets in order to make the saturation attack more stealthy [31].Hence, there is a difference in the total packet number between the normal flow and attack flow.
• V α .The packet rate of a network flow during a sampling interval.T is the current moment and Δt is the sampling period.The saturation attack makes the malicious flow entries alive by sending attack flows periodically.However, the communication of normal terminals is irregular.Therefore, there is a difference in the packet rate between the normal flow and attack flow.
• β.The total byte number of a traffic flow.Similarly, when launching a saturation attack, each attack flow carries a small length of data for concealing the attack traffic [31].However, the byte number of normal flow is irregular.Hence, the total byte number of a flow can be utilized to identify the normal flow and attack flow.
• V β .The byte rate of a network flow during a sampling interval.According to the analysis of the packet rate of a network flow, the byte rate of attack flow and normal flow show a similar difference with the total byte number of a traffic flow.Therefore, the byte rate of a network flow during a sampling interval can also be employed to detect attack flows.
• τ.The survival time of a flow.The goal of a saturation attack against SDN switches is to occupy the flow table storage capacity.The adversary needs to send malicious packets before the malicious flow entry idle timeout arrives to lengthen the survival time of the malicious flow entry.Hence, the survival time of attack flow entries is longer than normal flow entries.
In other words, the survival time of a flow is a representation of the saturation attack flows.

Graph G i end for return Graph
Then, TITAN utilizes f to represent a flow, and F = {f 1 , . .., f k } is the set of all flow.After preprocessing the topology information L, flow forward rules O, and flow statistical features f, TITAN will deliver the above data to the second step to construct the BiFor-Graphs.

Bidirectional forwarding graph construction
TITAN designs BiFor-Graph, a bidirectional forwarding graph generation algorithm, with the definitions of topology information L, flow forwarding rules O and flow statistical characteristics F = {f 1 , . .., f k } in Section 4.2.BiFor-Graph translates each flow of the network to bidirectional forwarding graphs.As shown in Algorithm 1, at first, for each χ i in O, it generates an empty graph G i = (V, E, F) for each flow by applying the function Γ.Here, V is the node set and E is the edge set.
After obtaining the empty graph G i , BiFor-Graph gets the nodes and edges information of the graph.It first insert v 0 corresponding to the source host φ s and its node information F(φ s ) into V. BiFor-Graph searches the next hop using Eq 7.This function can extract the next-hop based on the topology information L and flow forwarding rules O.After obtaining the next hop of φ s , BiFor-Graph starts to generate other nodes and links in sequence based on L and O. Specially, the next hop v 1 of v 0 is generated using Eq 8. Then v 1 is inserted into V and the related link < v 0 , v 1 > is inserted into E.For each node, The search process will continue until the destination host φ d is found.
Up to now, the nodes and edges from φ s to φ d have been completely loaded into the G i .In the next step, the path from φ d to φ s is added to the G i .Ultimately, the BiFor-Graph writes node information to the graph based on the flow statistical features F to obtain a bidirectional forwarding graph of the current traffic flow.
For a saturation attack flow, suppose that its statistical features on each switch have been calculated as F. We give an example for describing the constructing process of Bifor-graph in Fig 3 .Assuming that φ 1 (10.0.0.1) is sending packets to φ 4 (10.0.0.4).The relevant flow entries are installed on S1, S2, S3, and S4.TITAN will first preprocess the topology information, flow forward rules and statistical features.Subsequently, TITAN constructs bidirectional forwarding graph using the BiFor-Graph algorithm based on the pre-processed data.Specially, BiFor-Graph generates an empty graph G = (V, E, F).Then it inserts the source node v 0 of source host φ 1 and its node information F(φ 1 ) into V.Subsequently, it searches the next-hop of φ 1 , < v 1 >.Then the information about the switch S1 is calculated and assigned as the value of < v 1 >.The link < v 0 , v 1 > between the two nodes is generated and added into E. BiFor-Graph continues to search for nodes that the flow passes through until the destination host φ 4 is searched.Then it start to find and add the reverse path of the flow to G. Finally, we obtain a bidirectional forwarding graph of the flow between φ 1 and φ 4 .
Then, TITAN will feed the BiFor-Graphs to the detection model for identifying saturation attack flows.

Saturation attack detection based on BiFor-Graph
For a traffic flow, after generating a bidirectional forwarding graph G = (V, E, F), TITAN utilizes GCN to determine whether the bidirectional forwarding graph is saturation attack.TITAN aggregates the neighbor node information to the central node based on the graph structure to improve the representability of the graph.As shown in Fig 4, the saturation attack detection model consists of three graph convolutional layers, one fully connected layer, and one classification module.At first TITAN extracts the adjacency matrix A, degree matrix D and feature matrix X from G. Then the detection model performs a convolution operation on a node in G.It first extracts the feature of the central node's neighbors as convolution parameters.Then it merges the node's own feature into the convolution operation.Finally, the saturation attack detection model represents a node using the combined features of itself and its neighbors.The graph convolution layer is described as Eq 9.
In Eq 9, σ is the active function.
) denotes the adjacency matrix A plus the identify matrix after adding the self-loop for each node.D indicates the degree matrix after adding the self-loop.W l means the weight matrix of the l-th convolution layer, while H l is the feature matrix calculated after the operation of the l-th graph convolution layer.In particular, H 0 = X.
With three graph convolution layers, the model learns a more comprehensive representation for each node in G.It is followed by aggregating the features of each node as the graph feature using the Readout function shown in Eq 10.H n = { h1 ; h2 ; :::; hN } is the node feature matrix of G that will be processed by the n-th graph conv layers.More specifically, N is the node number and hi is the feature of i-th node.In Eq 10, Feat G is obtained by calculating the mean value of all node features in input graph G.
After obtaining the graph feature Feat G by Readout, the Feat G is input into the fully connected layer for calculating the probability of whether the bidirectional forwarding graph is saturation attack.And (y 0 ,y 1 ) is the output of the fully connected layer.Then we minimize the loss function cross-entropy between y j and the original label y to optimize this model: During the saturation detection, the final output probability y j is mapped to the (0, 1) using Softmax, and the value can be considered as the probability that the instance is a saturation attack.The Softmax is shown in Eq 12.
Finally, TITAN uses argmax function to identify whether the bidirectional forwarding graph belongs to attack instance.The argmax will output the category with the maximum in f (y 0 ) and f(y 1 ).At last, predict G , the detection result of bidirectional forwarding graph G is calculated by Eq 13.

Experiments and evaluation
This section describes the evaluations of TITAN with three subsections, namely, Experiment Setup (subsection 5.1), Changes of Features (subsection 5.2) and Saturation Attack Detection Performance Comparison (subsection 5.3).

Experiment setup
We select the Ryu 1.4 as the SDN controller.For hosts and switches, this evaluation employes Mininet 2.3.0 for simulation according to the analysis about Mininet [32].Simultaneously, it utilizes the OpenFlow 1.3 protocol as the southbound interface communication protocol.To verify the effectiveness of TITAN, we construct the Fat-tree topology that contains twenty switches and thirty-two hosts, as shown in Fig 5 .More specially, the Fat-tree topology consists of four core switches(S1001-S1004), eight aggregation switches(S2001-S2008) and eight edge switches(S3001-S3008).Besides, each edge switch is connected to four hosts.
For verifying the effectiveness of TITAN, this evaluation simulates a saturation attack targeting at SDN switches.In the experiment, eight hosts are randomly selected to send TCP, UDP, and ICMP data packets to each other to simulate background traffic as our previous works [18,29,30].In this evaluation, we try to attack the switch S3008.Hence, we randomly selects four hosts as the saturation attackers and make these hosts send saturation attack traffic to hosts 10.0.0.29, 10.0.0.30, 10.0.0.31, and 10.0.0.32.The attack traffic causes S3008 to install the malicious flow entries.The attacker will also periodically inject the attack traffic into the network to prolong the survival time of the malicious flow entries.Eventually, the flow table storage of S3008 overflows and the normal communication of the network is affected.To verify the effectiveness of TITAN, this evaluation sets 9 attack traffic proportions, from 10% to 90%.The attack traffic proportions is the percentage of attack traffic accounts for total network traffic.
The GCNID [11], GCN-TC [12], Logistic Regression (LR), Naive Bayes (NB), and Support Vector Machines (SVM) algorithms are selected as the comparison algorithms in this evaluation.GCNID generates one KNN graph for each flow.Then the KNN graph is sent to the GCN model for detecting saturation attack.GCN-TC produces a traffic trace graph.Its nodes represent the traffic flows and its edges denotes the nodes have common IP address.Saturation attack detection is performed by analyzing the nodes in that graph.The LR, NB, and SVM algorithms utilize the flow statistical features for performing saturation attack detection.

Changes of features
Subsequently, we will analyze the trend of the statistical features selected by TITAN with respect to attack and normal traffic.From Fig 6, we can see that when the saturation attack traffic proportion are 10%, and 80%, the average bytes rate differs significantly from that of normal traffic.However, when the attack traffic proportion is 40%, the byte rate of attack flow is similar with the normal flow.From Fig 6a, the maximum byte rate of the attack flow is close to 2 thousands bytes per second when the total flow ratio is 10%.The interval between each attack is 1 to 4 cycles, which shows a regular change.In Fig 6b, when the attack traffic proportion is increased to 40%, the byte rate of attack flow is close to that of the normal traffic.The reason for this phenomenon is that the saturation attack traffic improves to 40%, the normal traffic accounts for 60% of the total network traffic.Hence the byte rate of attack and normal traffic is similar.When the attack ratio is raised to 80%, the byte rate of the attack traffic can reach up to about 30 thousands bytes per second, which is quite bigger than normal traffic, as seen in Fig 6c .Since the saturation attack is launched through multiple threads in the simulated experiment, the period of the attack may not be consistent for each thread, and results in the period of the attack being less regular in Fig 6c.

Average packets rate and bytes rate.
Fig 7 illustrates the variation of average packets rate when the attack traffic proportion are 20%, 50%, and 90%.When the attack traffic proportion is 20%, the average packet rate of normal traffic is higher than attack traffic from Fig 7a .If the attack traffic proportion increases to about 50%, the packet rate of the attack traffic is close to the normal traffic for most cycles.As the attack traffic proportion raises to 90%, the attack flow has higher average packet rate than normal traffic.Meanwhile, the saturation attack also shows more clear periodicity.
In conclusion, from Figs 6 and 7, we can conclude that the average byte rate and packet rate of normal traffic changes randomly and irregularly.On the other hand, the saturation attack traffic is always injected into the network periodically.When the attack traffic proportion is low or high, it is easy to detect the saturation attack flow.However, when the proportion of attack traffic is 40% or 50%, the difference of average byte rate and packet rate of the attack The reason of this phenomenon is that the normal traffic in this evaluation is randomly launched, and the OpenFlow switch installs flow entry for newly traffic using idle timeout.In this case, the normal flow entries may be deleted due to the overtime of idle timeout.However, for the saturation attack, it will try its best to make the attack flow entries survival long time in the switch.Hence, it will periodically send attack traffic into the network to lengthen the lifetime of the attack flow entries.Therefore, the average lifetime of attack flow entries keeps growing, with a higher speed than normal flow entries.For instance, in the 70th cycle, the survival time of normal flow entries reaches 1000s and then a pause occurs.At this point, the average survival time of normal flow entries stops growing as some normal flow entries reach the idle timeout and these flow entries are deleted.Then the switch installs new flow entries for the relevant traffic flows.However, the survival time of the attack flow entries always increases linearly.At the 80th cycle, the average survival time of the attack flow entries grows to 1800s, while the survival time of the normal flow entries reaches only 1200s.
In conclusion, the survival time of attack flow entries is higher than normal flow entries from
The eight evaluation metrics are defined as follows.
The horizontal axis of ROC curves is the FPR and the vertical is the TPR.AUC = (1 +TPR-FPR)/2 is the area under the ROC curve, which ranges from 0 to 1.As AUC gets closer to 1, the more accurate the detection will be [33].Additionally, Rec is the horizontal axis and Pre is the vertical axis in the P-R curve.
From Table 3, it can be seen that when the attack traffic proportion is about 50%, TITAN achieves the worst detection performance.However, most Acc, Rec, Pre, F1, FA, and MR values of TITAN are better than other methods.
When the attack traffic proportion is low, TITAN also reaches better ROC and P-R curves than GCNID, GCN-TC, LR, NB, and SVM.For example, Fig 10 shows the ROC curves and   For the medium attack traffic proportion, it is observed from the section 5.2 that with the attack traffic ratio rising to 40%, 50%, and 60%, both the packet rate and byte rate of attack and normal flow are closer to each other.Hence, we can observe from Table 3 that the detection accuracy of TITAN starts to decrease when the attack traffic proportion is 40%, and drops to a minimal 98.11% at attack ratio is 50%, and the MR increases to 3.8%.Meanwhile, for the three medium attack proportions, the Pre value of TITAN is 99.66%, 100.0%, and 100.0%, while the Rec value is 98.21%, 96.21%, and 97.63%, respectively.It demonstrates that distinguishing attack flows from normal flows is difficult in medium-ratio attacks.
We choose the ROC and P-R curves in  3, the Rec value of GCN-TC is 50% when the attack ratio is 50%.From Fig 11a, the AUC of both TITAN and SVM is 0.99, which is the highest among all algorithms.And the ROC and P-R curves of these two algorithms almost completely overlap.Therefore, from the two curves, we can conclude that TITAN and SVM have better performance in the medium proportions attacks.However, as shown in Table 3, TITAN also has better Acc, Rec, F1 FA and MR than SVM.
And with the attack traffic proportion increases to 70%, 80%, and 90%, the Acc of TITAN increases and is higher than the compared methods.When the proportion of attack traffic reaches 90%, the accuracy, recall, and precision of TITAN increases to 99.42%, 98.88%, and 99.77%, the false alarm and miss rate decreases to 0.20% and 1.20%.In the meantime, GCN-TC has better recall and SVM has larger precision value and a lower false alarm rate.However, the AUC of TITAN is bigger than all other methods.Meanwhile, the P-R curve of TITAN is higher than other algorithms from Fig 12b .Hence, in this case, TITAN has a better overall detection performance than other methods.
When the attack traffic proportion changes from 10% to 90%, TITAN's false alarm rates are less than 0.5% most of the time, and the miss rates are lower than other methods.It shows that TITAN has fewer miss alarms and false alarms compared to other algorithms.Here is the possible reason of that phenomenon.For GCNID, the generated KNN graph only contains information about the flow on a particular switch and lacks all the information about the flow in the network.It causes GCNID to fail to achieve better detection even the attack traffic proportion is low or high.In the meantime, the detection accuracy of GCN-TC are around 75%. Notably, the Rec of GCN-TC are very low and the Pre are all 50%.The possible reason for that is GCN-TC produces trace traffic graph by adding edges for nodes with common IP address.It makes some nodes that represent the reverse flow of attack flow only have the attack node as its neighbor node, while some nodes representing the attack flow also have only normal flow neighbor nodes.The GCN model will perform weighted average calculation on the features of the neighbor and the central nodes to obtain an average value as the central node's feature.In this case, the GCN aggregates many attack nodes features in the trace traffic graph to a central normal nodes and also aggregates normal nodes features to attack node, resulting in a failure in detection.
For the LR algorithm, it is vulnerable to mistakenly detect normal traffic as attack.For the NB algorithm, it also cannot clearly distinguish attack traffic between normal traffic.In contrast, the SVM algorithm has a good detection result.However, when the proportion of attack traffic is increased to medium and high ratio, the recall of SVM is low, which means that SVM is difficult to identify the attack flow from the normal flows.
In conclusion, when the attack traffic proportion is low, medium, and high, TITAN can achieve higher accuracy, recall, precision, F1-score, false alarm and miss rate than other algorithms.

Conclusion
In this work, we propose a mechanism named TITAN for detecting saturation attack flows against SDN switches.Taking advantage of topology information, flow forward rules, and flow-based statistical features, TITAN designs BiFor-Graph, a bi-directional forwarding graph generation algorithm.The bi-directional forwarding graph contains the information of source, destination, forwarding path, and flow statistical features of a network flow.Furthermore, a GCN model is constructed for detecting saturation attack.We also made a detailed experiment for evaluating the detection performance of TITAN.The experiment results show that TITAN can effectively detect saturation attack against switches in SDN.
The experimental results show that TITAN outperforms other comparison algorithms because its generated graphs contain the bidirectional forwarding information for network flows, which has more comprehensive information than KNN graph.Additionally, compared with GCN-TC, TITAN can mitigate the negative effects on aggregating information caused by incorrectly connected edges.
This work proposes a BiFor-Graph-based mechanism to detect saturation attack towards SDN switches.However, the SDN controller is also the target of saturation attack.Consequently, it becomes challenging to simultaneously detect saturation attack flows targeting at the SDN controller and switches.Therefore, future research will focus on designing GNNbased methods to detect saturation attack flows targeted at SDN controller and switch.At the same time, TITAN is designed as a centralized saturation attack detection method.TITAN cannot detect saturation attack when it experiences runtime failures.Hence, in the future, we will also take our attention to distributed saturation attack detection methods.
In TITAN, we take the SDN controller to collect traffic statistics for detection.However, this method might lead to the controller-data bandwidth overhead.Consequently, there is a need for an attack detection data collection method that would not burden the network overhead.The network telemetry may be a suitable method to overcome that issue.Hence, the

Fig 1 .
Fig 1. Saturation attack targeted at the SDN switch [17].https://doi.org/10.1371/journal.pone.0299846.g001 As shown inFig 2,  this work proposes TITAN, a saturation attack detection method based on bidirectional forwarding graphs and GCN.TITAN consists of three steps: 1) graph information preprocessing, 2) bidirectional forwarding graph construction, and 3) saturation attack detection.The description of these steps is shown below.• Step 1: Graph information preprocessing.TITAN first gives the definitions of flow forwarding rules and topology information.Then it designs flow statistical features.The flow forwarding rules, topology information and flow statistical features are delivered to the next step to generate graph.• Step 2: Bidirectional forwarding graph construction.TITAN proposes BiFor-Graph, a bidirectional forwarding graph construction algorithm.BiFor-Graph first constructs the basic graph structure of the bidirectional forwarding graph for each network flow.Subsequently, it generates the node information based on the statistical characteristics of the network flow at different switches.• Step 3: Saturation attack detection.TITAN constructs a GCN model to detect the saturation attack.The bidirectional forwarding graph generated in step 2 is fed into that saturation attack detection model to perform graph detection and determine whether the network flow is a saturation attack flow.

Figs 6 and 7
show the changes of average bytes rate and packets rate.Fig 6 illustrates the changes of average byte rate when the saturation attack traffic proportion are 10%, 40%, and 80%.Fig 7 presents the variation of average packet rate as the attack traffic are about 20%, 50%, and 90%.

Fig 8 .
Hence, utilizing the survival time of a flow entry to detect saturation attack flow may improve the detection performance.

Table 2 . Definition of variables.
Topology information L. This work designs a tuple L ¼ f' 1 ; . . .; ' k g to represent the topology information.